creates the following files on your PC:
c:\documents and settings\administrator\local settings\temp\new_ddd67.exe_6b78578b7097c08eb500d2f8b8a1c1ac01931605.exe
- detected as Trojan:Win32/Rimod
c:\documents and settings\all users\start menu\programs\startup\winlogon.exe
Modifies system security settings
Trojan:Win32/Swisyn.K adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall. It does this by making the following registry modification:
Adds value: "C:\Documents and Settings\Administrator\Local Settings\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe"
With data: "c:\documents and settings\administrator\local settings\temp\new_ddd67.exe_6b78578b7097c08eb500d2f8b8a1c1ac01931605.exe:*:enabled:qvod"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Contacts remote host
The malware might contact a remote host at agent.qvod.com using port 80. Commonly, malware contacts a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 1ff614bdf337719543ba92dffa6631ea457125c8.